@kitsy/cnos-docs 1.11.0 → 1.11.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/docs/api/runtime.mdx
CHANGED
|
@@ -119,7 +119,7 @@ Vault selection is declared in `.cnos/cnos.yml`; runtime code only declares whic
|
|
|
119
119
|
|
|
120
120
|
```ts
|
|
121
121
|
import cnos from '@kitsy/cnos';
|
|
122
|
-
import { createGcpSecretManagerVaultProvider } from '@kitsy/cnos-vault-gcp
|
|
122
|
+
import { createGcpSecretManagerVaultProvider } from '@kitsy/cnos-vault-gcp';
|
|
123
123
|
|
|
124
124
|
cnos.registerSecretVaultProvider(createGcpSecretManagerVaultProvider());
|
|
125
125
|
await cnos.ready();
|
package/docs/cli/secret.mdx
CHANGED
|
@@ -9,10 +9,13 @@ description: Set, get, list, and delete secrets through configured vaults.
|
|
|
9
9
|
cnos secret set app.token super-secret --vault default
|
|
10
10
|
cnos secret set app.token --vault default
|
|
11
11
|
printf "super-secret" | cnos secret set app.token --vault default --stdin
|
|
12
|
+
cnos secret set app.token --vault prod-gcp
|
|
12
13
|
cnos secret get app.token --vault default --reveal
|
|
13
14
|
cnos secret list
|
|
14
15
|
cnos secret list --reveal
|
|
15
16
|
cnos secret delete app.token
|
|
16
17
|
```
|
|
17
18
|
|
|
18
|
-
|
|
19
|
+
For local vaults, omitting `[value]` prompts for a masked value interactively so the secret does not have to appear in shell history. In non-interactive environments, pass the value explicitly or use `--stdin`.
|
|
20
|
+
|
|
21
|
+
For non-local vaults such as `environment`, `gcp-secret-manager`, `aws-secrets-manager`, `hashicorp-vault`, and `azure-key-vault`, `cnos secret set` writes repo-safe reference metadata only. If `[value]` is omitted, CNOS uses the logical path as the external ref and does not prompt for secret material. Create or update the actual secret in the backing vault separately.
|
package/docs/cli/vault.mdx
CHANGED
|
@@ -18,3 +18,5 @@ For local vaults, `cnos vault create <name>` initializes the encrypted keystore
|
|
|
18
18
|
`cnos vault auth <name>` re-authenticates an existing vault and fails on wrong credentials. Successful auth writes a derived session key under `~/.cnos/secrets/sessions`, so later CNOS commands can reuse it across shells until you run `cnos vault logout <name>` or `cnos vault logout --all`. With `--store-keychain`, CNOS also stores the derived key in the OS keychain.
|
|
19
19
|
|
|
20
20
|
After local vault auth, `cnos secret set <path> --vault <name>` can prompt for a masked secret value interactively when you omit `[value]`.
|
|
21
|
+
|
|
22
|
+
`cnos vault list` can also run outside a CNOS project. In that mode it lists local vault stores from the configured CNOS secret home instead of requiring `.cnosrc.yml`. Project-scoped vault definitions are included when the command runs inside a CNOS workspace.
|
package/docs/guides/secrets.mdx
CHANGED
|
@@ -15,7 +15,7 @@ cnos secret set app.token --vault default
|
|
|
15
15
|
|
|
16
16
|
`cnos vault create default` initializes the local encrypted vault immediately. If CNOS cannot resolve a passphrase from env or keychain, it prompts interactively. `cnos vault auth default` is only for re-authenticating an existing vault and rejects wrong passphrases.
|
|
17
17
|
|
|
18
|
-
|
|
18
|
+
For local vaults, when `[value]` is omitted, `cnos secret set` prompts for a masked secret value so it does not have to appear in shell history. For non-interactive pipelines, use `--stdin` instead:
|
|
19
19
|
|
|
20
20
|
```bash
|
|
21
21
|
printf "super-secret" | cnos secret set app.token --vault default --stdin
|
|
@@ -26,10 +26,13 @@ Environment-backed vault:
|
|
|
26
26
|
```bash
|
|
27
27
|
cnos vault create firebase-prod --provider environment --no-passphrase
|
|
28
28
|
cnos secret set app.token APP_TOKEN --vault github-ci
|
|
29
|
+
cnos secret set app.token --vault firebase-prod
|
|
29
30
|
```
|
|
30
31
|
|
|
31
32
|
`environment` is the generic provider for platforms that inject secrets into environment variables before your process starts. `github-secrets` remains a compatibility alias for the same behavior.
|
|
32
33
|
|
|
34
|
+
For non-local vaults such as `environment`, `gcp-secret-manager`, `aws-secrets-manager`, `hashicorp-vault`, and `azure-key-vault`, `cnos secret set` writes reference metadata only. CNOS does not prompt for or store secret material in the repo. If `[value]` is omitted, CNOS uses the logical secret path as the external ref; create or update the actual secret in the backing vault separately.
|
|
35
|
+
|
|
33
36
|
This is the CNOS bridge for common cloud and CI runtimes:
|
|
34
37
|
|
|
35
38
|
- GitHub Actions secrets
|
|
@@ -11,17 +11,17 @@ Remote vault providers are compiled into the application runtime. CNOS never loa
|
|
|
11
11
|
|
|
12
12
|
Official providers use this package shape:
|
|
13
13
|
|
|
14
|
-
- `@kitsy/cnos-vault-gcp
|
|
15
|
-
- `@kitsy/cnos-vault-aws
|
|
14
|
+
- `@kitsy/cnos-vault-gcp`
|
|
15
|
+
- `@kitsy/cnos-vault-aws`
|
|
16
16
|
- `@kitsy/cnos-vault-hashicorp`
|
|
17
|
-
- `@kitsy/cnos-vault-azure
|
|
18
|
-
- `@kitsy/cnos-vault-firebase
|
|
17
|
+
- `@kitsy/cnos-vault-azure`
|
|
18
|
+
- `@kitsy/cnos-vault-firebase`
|
|
19
19
|
|
|
20
20
|
Each package must export a factory named `create<Vendor>VaultProvider()`. The factory returns a `SecretVaultProviderFactory` whose `provider` field exactly matches the manifest provider name.
|
|
21
21
|
|
|
22
22
|
```ts
|
|
23
23
|
import cnos from '@kitsy/cnos';
|
|
24
|
-
import { createGcpSecretManagerVaultProvider } from '@kitsy/cnos-vault-gcp
|
|
24
|
+
import { createGcpSecretManagerVaultProvider } from '@kitsy/cnos-vault-gcp';
|
|
25
25
|
|
|
26
26
|
cnos.registerSecretVaultProvider(createGcpSecretManagerVaultProvider());
|
|
27
27
|
await cnos.ready();
|
|
@@ -115,7 +115,7 @@ Install and register the compiled-in provider:
|
|
|
115
115
|
|
|
116
116
|
```ts
|
|
117
117
|
import cnos from '@kitsy/cnos';
|
|
118
|
-
import { createGcpSecretManagerVaultProvider } from '@kitsy/cnos-vault-gcp
|
|
118
|
+
import { createGcpSecretManagerVaultProvider } from '@kitsy/cnos-vault-gcp';
|
|
119
119
|
|
|
120
120
|
cnos.registerSecretVaultProvider(createGcpSecretManagerVaultProvider());
|
|
121
121
|
await cnos.ready();
|
|
@@ -143,7 +143,7 @@ Install and register the compiled-in provider:
|
|
|
143
143
|
|
|
144
144
|
```ts
|
|
145
145
|
import cnos from '@kitsy/cnos';
|
|
146
|
-
import { createFirebaseSecretsVaultProvider } from '@kitsy/cnos-vault-firebase
|
|
146
|
+
import { createFirebaseSecretsVaultProvider } from '@kitsy/cnos-vault-firebase';
|
|
147
147
|
|
|
148
148
|
cnos.registerSecretVaultProvider(createFirebaseSecretsVaultProvider());
|
|
149
149
|
await cnos.ready();
|
|
@@ -177,7 +177,7 @@ Install and register the compiled-in provider:
|
|
|
177
177
|
|
|
178
178
|
```ts
|
|
179
179
|
import cnos from '@kitsy/cnos';
|
|
180
|
-
import { createAwsSecretsManagerVaultProvider } from '@kitsy/cnos-vault-aws
|
|
180
|
+
import { createAwsSecretsManagerVaultProvider } from '@kitsy/cnos-vault-aws';
|
|
181
181
|
|
|
182
182
|
cnos.registerSecretVaultProvider(createAwsSecretsManagerVaultProvider());
|
|
183
183
|
await cnos.ready();
|
|
@@ -239,7 +239,7 @@ Install and register the compiled-in provider:
|
|
|
239
239
|
|
|
240
240
|
```ts
|
|
241
241
|
import cnos from '@kitsy/cnos';
|
|
242
|
-
import { createAzureKeyVaultProvider } from '@kitsy/cnos-vault-azure
|
|
242
|
+
import { createAzureKeyVaultProvider } from '@kitsy/cnos-vault-azure';
|
|
243
243
|
|
|
244
244
|
cnos.registerSecretVaultProvider(createAzureKeyVaultProvider());
|
|
245
245
|
await cnos.ready();
|